48f0bfc703
security: fix for vulnerability CVE-2014-0017
...
When accepting a new connection, a forking server based on libssh forks
and the child process handles the request. The RAND_bytes() function of
openssl doesn't reset its state after the fork, but simply adds the
current process id (getpid) to the PRNG state, which is not guaranteed
to be unique.
This can cause several children to end up with same PRNG state which is
a security issue.
Conflicts:
src/bind.c
2014-03-04 09:54:25 +01:00
87549f7bb6
tests: Add a sftp_read blocking test.
2013-10-23 15:54:12 +02:00
d7ab3d7b3d
socket: Call data handler as long as handler takes data.
...
Reviewed-by: Andreas Schneider <asn@cryptomilk.org >
2013-10-06 17:48:40 +02:00
f17788adc2
Update ChangeLog.
2013-07-26 08:42:26 +02:00
23e0053a41
BUG 103: Disable proxy command if set to 'none'.
...
Signed-off-by: Andreas Schneider <asn@cryptomilk.org >
2013-07-26 08:42:26 +02:00
b6788f369e
client: Fix possible NULL pointer dereference.
2013-07-26 08:42:26 +02:00
4cc4236182
kex: Fix a double free.
2013-07-26 08:42:26 +02:00
21a1c51eef
Check for NULL pointers in channels.c
2013-07-26 08:42:26 +02:00
d796de288e
cmake: Set application version as package version.
2013-07-26 08:42:26 +02:00
7ba381116d
BUG 103: Fix ProxyCommand parsing.
2013-06-02 19:33:57 +02:00
6f59c0534d
config: Rename ssh_config_get_str().
2013-06-02 19:33:57 +02:00
494fb26b01
opts: Fix segfault in option parser.
2013-06-02 19:33:57 +02:00
d0f9320602
cmake: Fix setting -D_FORTIFY_SOURCE=2.
2013-06-02 19:33:56 +02:00
5826cb6ab2
poll: return error on poll() when pollset is empty
...
(cherry picked from commit 222a0d78ca
2013-02-27 08:07:44 +01:00
bbdef245a1
Update version number to 0.5.5.
2013-02-12 14:30:22 +01:00
a0d894dd2a
server: Fix typo in dh_handshake_server().
...
Reviewed-by: Andreas Schneider <asn@cryptomilk.org >
2013-02-05 21:16:04 +01:00
05d8421290
Update to version 0.5.4.
2013-01-22 11:52:36 +01:00
55b09f4264
CVE-2013-0176: Fix a remote DoS if the client doesn't send a matching kex.
...
Thanks to Yong Chuan Koh, X-Force Research <kohyc@sg.ibm.com >
2013-01-14 14:38:55 +01:00
f128338132
options: Fix a free crash bug if we parse unknown options.
...
Thanks to Yong Chuan Koh, X-Force Research <kohyc@sg.ibm.com >
2013-01-11 08:52:27 +01:00
ba231d0844
channels1: Fix severa possible null pointer dereferences.
...
(cherry picked from commit b811b89f57
2013-01-10 13:55:12 +01:00
6da817aa47
Update ChangeLog.
2012-11-14 17:56:48 +01:00
05ed61848f
cmake: Bump version number.
2012-11-14 17:11:03 +01:00
d63f19c300
CVE-2012-4561: Fix possible free's on invalid pointers.
2012-11-14 17:11:03 +01:00
455da60846
CVE-2012-4561: Fix error handling of try_publickey_from_file().
2012-11-14 17:11:03 +01:00
46b2eb3c14
CVE-2012-4559: Make sure we don't free name and longname twice on error.
2012-11-14 17:11:03 +01:00
6236001ff4
CVE-2012-4559: Ensure that we don't free req twice.
2012-11-14 17:11:03 +01:00
1471f2c67a
CVE-2012-4559: Ensure we don't free blob or request twice.
2012-11-14 17:11:03 +01:00
b485463197
CVE-2012-4560: Fix a write one past the end of 'buf'.
2012-11-14 17:11:03 +01:00
64fca8a7ed
CVE-2012-4560: Fix a write one past the end of the 'u' buffer.
2012-11-14 17:11:03 +01:00
e3d9501b31
CVE-2012-4562: Fix possible string related integer overflows.
2012-11-14 17:11:00 +01:00
1699adfa03
CVE-2012-4562: Fix a possible infinite loop in buffer_reinit().
...
If needed is bigger than the highest power of two or a which fits in an
integer we will loop forever.
2012-11-14 17:10:57 +01:00
db81310d71
CVE-2012-4562: Fix multiple integer overflows in buffer-related functions.
2012-11-14 17:10:53 +01:00
8489521c0d
CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa().
...
No exploit known, but it is better to check the string length.
2012-11-14 17:10:47 +01:00
2ee6282fdd
channels: Fix a possible infinite loop if the connection dropped.
...
This fixes bug #85 .
2012-10-22 18:13:53 +02:00
ae218d0d15
channels1: Add missing request_state and set it to accepted.
...
This fixes bug #88 .
2012-10-22 18:06:12 +02:00
26579b2231
auth1: Reset error state to no error.
...
This fixes bug #89 .
2012-10-22 18:06:09 +02:00
04f1d950b9
session: Fix a possible use after free in ssh_free().
...
We need to cleanup the channels first cause we call ssh_channel_close()
on the channels which still require a working socket and poll context.
Thanks to sh4rm4!
2012-10-22 17:37:50 +02:00
191c0ae2bb
doc: Update copyright policy.
2012-10-14 19:58:26 +02:00
5b32f31a31
channel: Fix a possible null pointer dereference.
...
(cherry picked from commit ceb8072b34
2012-10-05 11:48:34 +02:00
3eac8e1c18
channels: Fix a possible null pointer dereference.
...
(cherry picked from commit 656fd60110
2012-10-05 11:47:35 +02:00
dc8f0cddee
getpass: Fix a memory leak in ssh_gets() on error.
...
(cherry picked from commit 6092596199
2012-10-05 11:45:47 +02:00
97b263aee9
sftp: Harden sftp_extension_supported() against null pointers.
...
(cherry picked from commit 22f607649d
2012-10-05 11:45:28 +02:00
cb53c4f0e1
sftp: Fix a memory on error in sftp_opendir().
...
(cherry picked from commit b5c4b090da
2012-10-05 11:45:12 +02:00
0d029e7038
misc: Don't leak memory on ssh_path_expand_escape() on error.
...
(cherry picked from commit 61d032fc03
2012-10-05 11:44:50 +02:00
aae725a44c
session: Fix a memory leak in ssh_new() on error.
...
(cherry picked from commit 280ce3fe93
2012-10-05 11:44:12 +02:00
0e833d75e6
Fix regression in pre-connected socket setting.
...
* src/socket.c (ssh_socket_pollcallback): Factor some code out to ...
(ssh_socket_set_connecting): New.
* include/libssh/socket.h (ssh_socket_set_connecting): Add prototype.
* src/client.c (ssh_connect): Use new function for a socket set by
SSH_OPTIONS_FD.
Signed-off-by: Werner Koch <wk@gnupg.org >
Signed-off-by: Andreas Schneider <asn@cryptomilk.org >
2012-09-21 09:41:47 +02:00
ae83f77511
build: Fix missing struct in_addr warning.
...
(cherry picked from commit 782b2e37c6
2012-07-17 18:17:05 +02:00
4d8420f328
sftp: Fix bug in sftp_mkdir not returning on error.
...
resolves : #84
(cherry picked from commit a92c97b2e1
2012-07-17 18:13:03 +02:00
d8f2a793d3
connect: Fix a build warning.
...
(cherry picked from commit 8b8d9dc83a
2012-07-17 17:34:50 +02:00
558b53a856
session: Cleanup timeout functions and fix packets termination.
...
It is possible that we get unrelated packets while waiting for
termination, thus waiting indefinitely. As a workaround we have to
check the user-supplied timeout.
Also cleaned up ssh_blocking_flush, which was using the timeout in a
bogus manner (resetting the timeout after each check).
2012-01-02 12:42:47 +01:00
